MalwareBazaar Database

You are currently viewing the MalwareBazaar entry for SHA256 2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301. While MalwareBazaar tries to identify whether the sample provided is malicious or not, there is no guarantee that a sample in MalwareBazaar is malicious.

Database Entry


RedLineStealer


Vendor detections: 9


Intelligence 9 IOCs 1 YARA 1 File information Comments
Download sample Add tag Delete this sample Report a False Positive

SHA256 hash: 2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301
SHA3-384 hash: 31ccb1cacd36b2c7e199d519530808aef4b20fb7ba4f4187bd0f173acfb26ed34020ef6c2c2533de0c3233593ec06139
SHA1 hash: 709cde4326af52f644cf00d260af65bdd0cbf5e1
MD5 hash: 33815ecf51b4a2f18811fba9ed999d36
humanhash: hotel-delaware-yellow-golf
File name:33815ECF51B4A2F18811FBA9ED999D36.exe
Download: download sample
Signature RedLineStealer
Create hunting rule
File size:2'640'414 bytes
First seen:2021-06-07 05:41:00 UTC
Last seen:Never
File type:Executable exe
MIME type:application/x-dosexec
imphash 6e7f9a29f2c85394521a08b9f31f6275 (278 x GuLoader, 44 x RemcosRAT, 40 x VIPKeylogger)
ssdeep 49152:rT6EUUYJw/CcOgrc76FANFx22udSWdKP3aTtnTCaVuGSnBR8A6T5ZNVZSz6:X6EUUYJwacOgrc/NFx7qOKxnnQG0BGdt
Threatray 579 similar samples on MalwareBazaar
TLSH 7EC523C0C1D14A71FD790A364173FCF2426BAE6B6C28A9C4F9797561E9334D6A43A80F
Reporter abuse_ch
Tags:exe RedLineStealer


Avatar
abuse_ch
RedLineStealer C2:
83.136.232.97:54367

Indicators Of Compromise (IOCs)

Below is a list of indicators of compromise (IOCs) associated with this malware samples.

IOCThreatFox Reference
83.136.232.97:54367 https://threatfox.abuse.ch/ioc/72122/

Intelligence

File Origin
# of uploads :
1
# of downloads :
115
Origin country :
n/a
Vendor Threat Intelligence
Malware family:
n/a
ID:
1
File name:
33815ECF51B4A2F18811FBA9ED999D36.exe
Verdict:
Suspicious activity
Analysis date:
2021-06-07 05:45:02 UTC
Tags:
n/a
Link:
https://app.any.run/tasks/17c1f922-017d-4173-b16a-4f32e6d58014

Note:
ANY.RUN is an interactive sandbox that analyzes all user actions rather than an uploaded sample
Detection:
n/a
Link:
https://www.capesandbox.com/analysis/164827/
Detection(s):
SecuriteInfo.com.Trojan.PWS.Steam.19390.13490.17676.UNOFFICIAL
Create hunting rule

Result
Verdict:
Clean
Maliciousness:

Behaviour
Creating a window
Creating a file in the %AppData% directory
Sending a UDP request
Result
Verdict:
MALICIOUS
Details
Windows PE Executable
Found a Windows Portable Executable (PE) binary. Depending on context, the presence of a binary is suspicious or malicious.
Result
Threat name:
RedLine
Create hunting rule
Detection:
malicious
Classification:
troj.spyw.evad
Score:
100 / 100
Link:
https://www.joesandbox.com/analysis/797921
Signature
Allocates memory in foreign processes
Antivirus detection for dropped file
Benign windows process drops PE files
Connects to many ports of the same IP (likely port scanning)
Creates a thread in another existing process (thread injection)
Detected unpacking (changes PE section rights)
Detected unpacking (overwrites its own PE header)
Disables Windows Defender (via service or powershell)
Found malware configuration
Injects a PE file into a foreign processes
Injects code into the Windows Explorer (explorer.exe)
Machine Learning detection for dropped file
Machine Learning detection for sample
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines)
Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines)
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Tries to harvest and steal browser information (history, passwords, etc)
Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc)
Tries to steal Crypto Currency Wallets
Tries to steal Mail credentials (via file access)
Uses known network protocols on non-standard ports
Uses schtasks.exe or at.exe to add and modify task schedules
Writes to foreign memory regions
Yara detected RedLine Stealer
Behaviour
Behavior Graph:
Download SVG
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 430318 Sample: s1um6myHDC.exe Startdate: 07/06/2021 Architecture: WINDOWS Score: 100 86 piporopopo.com 2->86 88 lkjhgfdsa4.ru 2->88 90 ip.com 2->90 128 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->128 130 Multi AV Scanner detection for domain / URL 2->130 132 Found malware configuration 2->132 134 10 other signatures 2->134 11 s1um6myHDC.exe 1 20 2->11         started        14 curl.exe 2->14         started        17 getmac.exe 2->17         started        signatures3 process4 dnsIp5 84 C:\Users\user\AppData\Roaming\control.dll, PE32 11->84 dropped 19 laun.dll 11->19         started        22 der.dll 11->22         started        24 Tausuus.dll 11->24         started        27 6 other processes 11->27 94 test-test2.ru 92.63.97.203, 21 THEFIRST-ASRU Russian Federation 14->94 96 ip.com 17->96 file6 process7 dnsIp8 70 C:\Users\user\AppData\Roaming\laun.exe, PE32 19->70 dropped 30 laun.exe 19->30         started        72 C:\Users\user\AppData\Roaming\der.exe, PE32 22->72 dropped 34 der.exe 22->34         started        74 C:\Users\user\AppData\Roaming\Tausuus.exe, PE32 24->74 dropped 136 Multi AV Scanner detection for dropped file 24->136 37 Tausuus.exe 24->37         started        92 iplogger.com 27->92 76 C:\Users\user\AppData\Roaming\sistemes.exe, PE32 27->76 dropped 78 C:\Users\user\AppData\Roaming\red.exe, PE32 27->78 dropped 80 C:\Users\user\AppData\Roaming\curl.dll, PE32 27->80 dropped 82 8 other files (3 malicious) 27->82 dropped 39 red.exe 27->39         started        41 sistemes.exe 27->41         started        43 autorun.exe 1 27->43         started        45 iexplore.exe 57 27->45         started        file9 signatures10 process11 dnsIp12 98 ip.com 30->98 138 Detected unpacking (changes PE section rights) 30->138 140 Detected unpacking (overwrites its own PE header) 30->140 142 Injects code into the Windows Explorer (explorer.exe) 30->142 160 4 other signatures 30->160 47 explorer.exe 30->47 injected 100 ip.com 34->100 66 C:\Users\user\...\MicrosoftEdgeCPS.exe, PE32 34->66 dropped 52 MicrosoftEdgeCPS.exe 34->52         started        104 2 other IPs or domains 37->104 144 Tries to harvest and steal Putty / WinSCP information (sessions, passwords, etc) 37->144 146 Tries to steal Mail credentials (via file access) 37->146 148 Tries to harvest and steal browser information (history, passwords, etc) 37->148 106 3 other IPs or domains 39->106 150 Queries sensitive video device information (via WMI, Win32_VideoController, often done to detect virtual machines) 39->150 152 Queries sensitive disk information (via WMI, Win32_DiskDrive, often done to detect virtual machines) 39->152 154 Tries to steal Crypto Currency Wallets 39->154 108 2 other IPs or domains 41->108 68 C:\ProgramData\...\getmac.exe, PE32 41->68 dropped 156 Uses schtasks.exe or at.exe to add and modify task schedules 41->156 54 schtasks.exe 41->54         started        102 ip.com 43->102 158 Multi AV Scanner detection for dropped file 43->158 56 WerFault.exe 43->56         started        110 5 other IPs or domains 45->110 file13 signatures14 process15 dnsIp16 112 lkjhgfdsa4.ru 185.17.121.245, 25998, 49744, 49747 LEASEWEB-DE-FRA-10DE Russian Federation 47->112 64 C:\ProgramData\TimeManager.exe, PE32 47->64 dropped 118 System process connects to network (likely due to code injection or exploit) 47->118 120 Benign windows process drops PE files 47->120 114 bigblueballon.top 8.208.27.152, 49742, 80 CNNIC-ALIBABA-US-NET-APAlibabaUSTechnologyCoLtdC Singapore 52->114 116 ip.com 52->116 122 Detected unpacking (changes PE section rights) 52->122 124 Detected unpacking (overwrites its own PE header) 52->124 126 Disables Windows Defender (via service or powershell) 52->126 58 powershell.exe 52->58         started        60 conhost.exe 54->60         started        file17 signatures18 process19 process20 62 conhost.exe 58->62         started       
Detection:
n/a
Link:
https://mwdb.cert.pl/sample/2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301/
Threat name:
Win32.Infostealer.Grand
Create hunting rule
Status:
Malicious
First seen:
2021-06-04 01:41:18 UTC
AV detection:
15 of 29 (51.72%)
Threat level:
  5/5
Detection(s):
Malicious file
Link:
https://check.spamhaus.org/check/?searchterm=f53oufeesg2vqei6quwoochyqaujnqq4hmmchhiua6htcobc4maq._file
Verdict:
malicious
Similar samples:
04361291bf3ae8acd73f886bf5cab71fa35097256e12c0bb1b2360d4603a40e7
RedLineStealer
28f1bd1e02427a817d05c69884c5d5ccf3455859a2f1c3a6dce5e6da75141bcd
RedLineStealer
2c32dcb54c310daf509527d74de8ab4cb7b45425fa543a5df22afd1e9bd00fd5
RedLineStealer
541ebfa6dd694728edd3cf536a13c739179edadcd880e7c28e074b60da1bcac8
RedLineStealer
6a966d8a8bc18b016f35a159c110eb8dd5527b83e39db5fa7300e4634c9cb096
RedLineStealer
da19103e927e19daedc51212deb60ceca403e3e9876c52a9dec41d7e6215929b
RedLineStealer
e6e11a92390d1e01775514d1a4f047f5b94471070a07bf82b6e9fe5c547d55a8
RedLineStealer
ea50cc254fa1cc865d19d13bbdf206dc69092d6f723cb56a3843d74ba83e64a0
RedLineStealer
ecf100d294f5b6b63ebc4e1430f6a07b07e3899b0c447a536d7c53c51d711549
RedLineStealer
ffecd6261932159067dd93f5c1df26f8da517f37ded13d122db853c1c84e7924
RedLineStealer
+ 569 additional samples on MalwareBazaar
Result
Malware family:
taurus
Create hunting rule
Score:
  10/10
Tags:
family:diamondfox family:redline family:taurus botnet:002 botnet discovery infostealer persistence spyware stealer trojan
Link:
https://tria.ge/reports/210607-4n7a85qhxj/
Behaviour
Checks processor information in registry
Creates scheduled task(s)
Delays execution with timeout.exe
Modifies Internet Explorer settings
Modifies registry class
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of UnmapMainImage
Suspicious use of WriteProcessMemory
Enumerates physical storage devices
Program crash
Drops file in Windows directory
Accesses 2FA software files, possible credential harvesting
Accesses cryptocurrency files/wallets, possible credential harvesting
Adds Run key to start application
Checks installed software on the system
Checks computer location settings
Loads dropped DLL
Reads user/profile data of web browsers
Executes dropped EXE
DiamondFox payload
DiamondFox
RedLine
RedLine Payload
Taurus Stealer
Taurus Stealer Payload
Malware Config
C2 Extraction:
piporopopo.com:54367
Unpacked files
SH256 hash:
608d2c68c14bca567b4aece4c2aa6d8ed866c767ff68404e86a6443168cac8d6
MD5 hash:
433b5d3a94f8c4d203dfd059d6195322
SHA1 hash:
442eb95aa07a6a5f939e0d2e03251f88f4d6ffed
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
8c64d40709d14fa07a95632bd1fef103cc0bb60ae48520b61b1d789801f8aa80
MD5 hash:
26434cdde23db00971d8f5ecc8ed5375
SHA1 hash:
8dcd79398483be9f740eafbd5baedb269df71885
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
7903b99ee97ee2ead061b894dd95c8f84cd1dc3e5a82ccf10b8217c599aac9b3
MD5 hash:
54df3818224a1ed5b6a873726d3af48c
SHA1 hash:
e1cf2483f57ba0844cc0d0e3ded85d7f01989aab
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
ecdeb5470675ae8ce0c2f303dbded3ae58773ec92fff3f346ebbf340c21b4528
MD5 hash:
3eb9aa9763e7d5379c65e7ad773507ae
SHA1 hash:
e4fd2907f2d468d829701f78bcaa977b88c5e356
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
e15c88bf4aa450851de6579e303a7672bb89d715f2ea6589fe2531a2a9e51313
MD5 hash:
8d91fdf3c873c858c602c14fd2b8c92c
SHA1 hash:
8a259e800f7c8d3b8de29668794322670f375cc5
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
abcac4eef0ce9e5bf5a0834b4238944b54180c8a2ac76b77368b7e308a91cb8a
MD5 hash:
9e391cff6b4f9f2196bd24ddf85b1bd9
SHA1 hash:
68d02e75d870b2bb31c66bb804ad71e2decdcbdc
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
2de55e087886d1f809d688e8d37ce081e7624150f725b800dc40735c425dd316
MD5 hash:
7d17f55dcad4fd9b8260a1477d1c5737
SHA1 hash:
623e87d0197dd0a3833b4949f01ef6e64364ceb7
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
dda5436e8934a0afc036175f4ff23d87cfa1bbbb3c63947979643a77c04be803
MD5 hash:
1a999014f6b049ca31ecfedc4282d997
SHA1 hash:
b0bae5a4986243c107af9869008a83805251fd87
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
SH256 hash:
2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301
MD5 hash:
33815ecf51b4a2f18811fba9ed999d36
SHA1 hash:
709cde4326af52f644cf00d260af65bdd0cbf5e1
Link:
https://www.unpac.me/results/1c79c1ce-2865-47ca-93a9-a00766353344/
Please note that we are no longer able to provide a coverage score for Virus Total.
Threat name:
Malicious File
Score:
1.00
Link:
https://yomi.yoroi.company/submissions/2f76ea148491b558111e852ce708f8802896c21c3b18239d14078f313822e301

YARA Signatures

MalwareBazaar uses YARA rules from several public and non-public repositories, such as YARAhub and Malpedia. Those are being matched against malware samples uploaded to MalwareBazaar as well as against any suspicious process dumps they may create. Please note that only results from TLP:CLEAR rules are being displayed.

Rule name:SUSP_XORed_Mozilla
Create hunting rule
Author:Florian Roth
Description:Detects suspicious XORed keyword - Mozilla/5.0
Reference:Internal Research

File information

The table below shows additional information about this malware sample such as delivery method and external references.

Cape
Cape
https://www.capesandbox.com/analysis/164827/

Comments